How can I deny interactive shells, but still allow (secured) scripts or commands to be executed with "-i", so as to adopt the 'run as' user's environment?
Applies to:
All versions of Centrify DirectControl on all supported platforms.
Question:
How can I deny interactive shells, but still allow (secured) scripts or commands to be executed with "-i", so as to adopt the 'run as' user's environment? Is this even possible?
Answer:
This configuration is entirely possible through command definition assignments for preventing users from spawning interactive shells via 'dzdo'. Here is an example configuration to accomplish this that will deny interactive shell, yet still allow running secured scripts or commands (to be configured within Access Manager; under <Zone>/Authorization/UNIX Right Definitions/Commands):
---- Allow direct execution of secured scripts/binaries at the designated path
---- Allow execution of secured scripts/binaries with the designated shell, at the designated path, and with interactive shell ('dzdo -i' will prompt '<shell> -c <command>')
---- Denial of prompting an interactive shell without arguments (eg. This would match/block 'dzdo csh -i', but would not match and thus allow 'dzdo csh -i /allowed/path/*', due to our prior definitions)
Note: The space proceeding the '$' (end-of-line) is required for this to function as expected.
Demonstration using the above command definitions:
[root@lab-rhes66-64 ~]# cat /tmp/scripttest.csh #!/bin/csh echo "Secure script test" $0 [root@lab-rhes66-64 ~]# diff /root/work/scripttest.csh /tmp/scripttest.csh [root@lab-rhes66-64 ~]# ls -l /tmp/scripttest.csh -rwxr-xr-x. 1 cook unixuser 35 Oct 28 09:33 /tmp/scripttest.csh [root@lab-rhes66-64 ~]# ls -l /root/work/scripttest.csh -rwxr-xr-x. 1 root root 35 Oct 28 09:34 /root/work/scripttest.csh [user1@lab-rhes66-64 ~]$ /tmp/scripttest.csh Secure script test /tmp/scripttest.csh [user1@lab-rhes66-64 ~]$ dzdo csh Sorry, user user1 is not allowed to execute '/bin/csh' as root on lab-rhes66-64. [user1@lab-rhes66-64 ~]$ dzdo csh ls Sorry, user user1 is not allowed to execute '/bin/csh ls' as root on lab-rhes66-64. [user1@lab-rhes66-64 ~]$ dzdo csh /tmp/scripttest.csh Sorry, user user1 is not allowed to execute '/bin/csh /tmp/scripttest.csh' as root on lab-rhes66-64. [user1@lab-rhes66-64 ~]$ [user1@lab-rhes66-64 ~]$ dzdo csh /root/work/scripttest.csh Secure script test /root/work/scripttest.csh [user1@lab-rhes66-64 ~]$ dzdo /root/work/scripttest.csh Secure script test /root/work/scripttest.csh [user1@lab-rhes66-64 ~]$ dzdo -i /root/work/scripttest.csh Secure script test /root/work/scripttest.csh [user1@lab-rhes66-64 ~]$
======= (Optional) Variation to the above definitions. This will accomplish the same results, but is a bit more flexible with allowances:
Note: This variation is not production-ready in completeness due to the 'Catch-all' definition. This configuration would need to be tailored to fit your environment and requirements. Explicit denials of things that are not allowed should be configured. The base template below will block interactive shell for anything not contained within '/allowed/path/' and interactive shell spawning without contextual arguments (ie. '<shell> -i' )
---- Allow anything not explicitly denied via '!<command>$' definitions
Name: Catch-all Command: * Form: Glob expressions Run As: root Path: Specific path: *
---- Denial of explicit start of interactive shell
---- Allow execution of secured scripts/binaries with the designated shell, at the designated path, and with interactive shell ('dzdo -i' will prompt '<shell> -c <command>')
[user1@lab-cent66-64b ~]$ dzdo csh Sorry, user user1 is not allowed to execute '/bin/csh' as root on lab-cent66-64b. [user1@lab-cent66-64b ~]$ dzdo csh -i Sorry, user user1 is not allowed to execute '/bin/csh -i' as root on lab-cent66-64b. [user1@lab-cent66-64b ~]$ dzdo /tmp/graytest.sh <====== this will be allowed by catch-all Sorry, user user1 is not allowed to execute '/tmp/graytest.sh' as root on lab-cent66-64b. [user1@lab-cent66-64b ~]$ dzdo /allowed/path/graytest.sh Secured script test /allowed/path/graytest.sh [user1@lab-cent66-64b ~]$ dzdo csh /tmp/graytest.sh <===== this will be allowed by catch-all Sorry, user user1 is not allowed to execute '/bin/csh /tmp/graytest.sh' as root on lab-cent66-64b. [user1@lab-cent66-64b ~]$ dzdo csh /allowed/path/graytest.sh Secured script test /allowed/path/graytest.sh [user1@lab-cent66-64b ~]$ dzdo csh emacs <===== this will be allowed by catch-all Sorry, user user1 is not allowed to execute '/bin/csh emacs' as root on lab-cent66-64b. [user1@lab-cent66-64b ~]$ dzdo -i /allowed/path/graytest.sh Secured script test /allowed/path/graytest.sh [user1@lab-cent66-64b ~]$ dzdo csh -c /allowed/path/scripttest.sh Secured script test /allowed/path/scripttest.sh [user1@lab-cent66-64b ~]$ dzdo csh -v /allowed/path/scripttest.sh Sorry, user user1 is not allowed to execute '/bin/csh -v /allowed/path/scripttest.sh' as root on lab-cent66-64b. [user1@lab-cent66-64b ~]$ dzdo -i /tmp/scripttest.sh <===== this will be allowed by catch-all Sorry, user user1 is not allowed to execute '/bin/csh -c /tmp/scripttest.sh' as root on lab-cent66-64b. [user1@lab-cent66-64b ~]$ dzdo csh -c /tmp/scripttest.sh <===== this will be allowed by catch-all Sorry, user user1 is not allowed to execute '/bin/csh -c /tmp/scripttest.sh' as root on lab-cent66-64b.
KB-5901: Deny interactive shell but allow scripts